CVE-2023-24523
8.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
An attacker authenticated as a non-admin user with local access to a server port assigned to the SAP Host Agent (Start Service) - versions 7.21, 7.22, can submit a crafted ConfigureOutsideDiscovery request with an operating system command which will be executed with administrator privileges. The OS command can read or modify any user or system data and can make the system unavailable.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SAP | Host Agent Service | 7.21 | affected |
| SAP | Host Agent Service | 7.22 | affected |
Weaknesses
- CWE-668: CWE-668: Exposure of Resource to Wrong Sphere
ADP Enrichment
CVE Program Container
Additional References
- https://launchpad.support.sap.com/#/notes/3285757
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
References
- https://launchpad.support.sap.com/#/notes/3285757
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.